Inefficient Regular Expression Complexity Affecting eap8-activemq-artemis-dto package, versions <0:2.40.0-6.redhat_00012.1.el9eap


Severity

Recommended
high

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

Social Trends
EPSS
0.47% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL9-EAP8ACTIVEMQARTEMISDTO-16759099
  • published19 May 2026
  • disclosed26 Feb 2026

Introduced: 26 Feb 2026

CVE-2026-27904  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

Upgrade RHEL:9 eap8-activemq-artemis-dto to version 0:2.40.0-6.redhat_00012.1.el9eap or higher.
This issue was patched in RHSA-2026:18055.

NVD Description

Note: Versions mentioned in the description apply only to the upstream eap8-activemq-artemis-dto package and not the eap8-activemq-artemis-dto package as distributed by RHEL. See How to fix? for RHEL:9 relevant fixed versions and status.

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested *() extglobs produce regexps with nested unbounded quantifiers (e.g. (?:(?:a|b)*)*), which exhibit catastrophic backtracking in V8. With a 12-byte pattern *(*(*(a|b))) and an 18-byte non-matching input, minimatch() stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default minimatch() API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects +() extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

CVSS Base Scores

version 3.1